QRadar: How do enhanced X-Force Rules interact with the X-Force server

Answer

When configuring enhanced X-Force rules, IBM X-Force Exchange provides a set of URLs to safely test the rules and actions chosen. With regards to the X-Force server and how the URL information provided by the Device Support Module (DSM) or Custom Event Property (CEP) to the Rule will be parsed, the X-Force server is not limited to "exact URL matches". For instance, if you search for catjogger.win, which is currently categorized as malware, you will find that every host or URL having catjogger.win as its base URL will also receive the categorization as malware such as the following URLs in the list below:
catjogger.win/test/123 http://xyz.catjogger.win/test/123
mail.catjogger.win

In these cases, catjogger.win passes on its categorization to anything else with the same base URL "catjogger.win" that the X-Force Exchange has not directly categorized yet.

In another example, if we investigate http://www.xforce-security.com which is categorized as "Software / Hardware, IT Security / IT Information and General Business", we already know that the base URL xforce-security.com is not passing on its categorization to http://www.xforce-security.com/policy-check/url/ because these URLs have been explicitly categorized to reflect our categories to numbers.

Therefore, based on the examples provided, the following can be stated as the X-Force server's behavior when categorizing URLs:

• A base URL receives a categorization and passes it on to any unknown URL with the same base URL.
• If a categorization for a URL is different from the base URL category, then X-Force had explicitly set that new category for a reason to delineate the base from other pages.
  

QRadar: Verification that X-Force server database updates are current

QRadar: Testing X-Force Rules

Where do you find more information?